Skip to main content

Authorization Logic — Query Builder

  • 2 minutes to read

DevExpress ASP.NET MVC Query Builder allows users to browse available data connections and tables. The Query Builder is integrated into both the DevExpress Report Designer and Dashboard Designer and can be used as a standalone control. To address CWE-285-related security risks, you should restrict access to data displayed within the Query Builder.

#Apply Authorization Attributes

The Authorize attribute specifies authorization rules for application pages. To protect your application, apply the Authorize attribute to the controller class. Use the AllowAnonymous attribute to allow anonymous access to public actions:

cs
namespace SecurityBestPractices.Mvc.Controllers {
    [Authorize]
    public partial class AuthorizationController : Controller {
        [AllowAnonymous]
        public ActionResult QueryBuilder() {
            return View("QueryBuilder/Index");
        }
    }
}

#Implement Authorization Logic

Follow the steps below to implement authorization in the DevExpress Query Builder extension:

  1. Implement a custom connection string provider to restrict access to connection strings:

    cs
    public class DataSourceWizardConnectionStringsProvider : IDataSourceWizardConnectionStringsProvider {
    
        public Dictionary<string, string> GetConnectionDescriptions() {
            Dictionary<string, string> connections =
                new Dictionary<string, string> { { "nwindConnection", "NWind database" } };
    
            // Implement access restriction logic, for instance
            // if(GetIdentityName() == "Admin")
            //     connections.Add("secretConnection", "Admin only database");
    
            return connections;
        }
    
        public DataConnectionParametersBase GetDataConnectionParameters(string name) {
            return AppConfigHelper.LoadConnectionParameters(name);
        }
    }
    
  2. Implement a custom database schema provider to restrict access to data tables, views, and stored procedures:

    cs
    // Uncomment the following class for the Query Builder integrated into Dashboard Designer
    
    // public class DataSourceWizardDBSchemaProviderExFactory : DevExpress.DataAccess.Web.IDataSourceWizardDBSchemaProviderExFactory {
    //    public IDBSchemaProviderEx Create() {
    //        return new DBSchemaProviderEx();
    //    }
    //}
    
    public class DBSchemaProviderEx : IDBSchemaProviderEx {
        public DBTable[] GetTables(SqlDataConnection connection, params string[] tableList) {        
            // Check permissions here
            var dbTables = connection.GetDBSchema().Tables;
            return dbTables.Where(t => t.Name == "Categories" || t.Name == "Products").ToArray();
        }
    
        public DBTable[] GetViews(SqlDataConnection connection, params string[] viewList) {
            return Array.Empty<DBTable>();
        }
    
        public DBStoredProcedure[] GetProcedures(SqlDataConnection connection, params string[] procedureList) {
            return Array.Empty<DBStoredProcedure>();
        }
    
        public void LoadColumns(SqlDataConnection connection, params DBTable[] tables) {
        }
    }
    
  3. Register your custom providers in the Global.asax.cs file for the DevExpress Report Designer, Dashboard Designer, or standalone Query Builder:

    DefaultReportDesignerContainer.RegisterDataSourceWizardConnectionStringsProvider<DataSourceWizardConnectionStringsProvider>();
    DefaultReportDesignerContainer.RegisterDataSourceWizardDBSchemaProviderExFactory<DataSourceWizardDBSchemaProviderExFactory>();